Allow the choice of the encryption algorithm to use

11 files changed, 110 insertions, 13 deletions

diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
index 479695e6..04b4e3a3 100644
--- a/lasso/id-ff/provider.c
+++ b/lasso/id-ff/provider.c
@@ -1052,3 +1052,17 @@ lasso_provider_set_encryption_mode(LassoProvider *provider, LassoEncryptionMode
 {
 	provider->private_data->encryption_mode = encryption_mode;
 }
+
+/**
+ * lasso_provider_set_encryption_sym_key_type:
+ * @provider: provider to set encryption for
+ * @encryption_sym_key_type: enum type for generated symetric key
+ *
+ * Set the type of the generated encryption symetric key
+ **/
+void
+lasso_provider_set_encryption_sym_key_type(LassoProvider *provider,
+		LassoEncryptionSymKeyType encryption_sym_key_type)
+{
+	provider->private_data->encryption_sym_key_type = encryption_sym_key_type;
+}
diff --git a/lasso/id-ff/provider.h b/lasso/id-ff/provider.h
index 14c83068..ee5ec597 100644
--- a/lasso/id-ff/provider.h
+++ b/lasso/id-ff/provider.h
@@ -30,6 +30,7 @@ extern "C" {
 #endif /* __cplusplus */ 
 
 #include <lasso/xml/xml.h>
+#include <lasso/xml/xml_enc.h>
 
 #define LASSO_TYPE_PROVIDER (lasso_provider_get_type())
 #define LASSO_PROVIDER(obj) \
@@ -194,6 +195,9 @@ LASSO_EXPORT LassoProtocolConformance lasso_provider_get_protocol_conformance(
 LASSO_EXPORT void lasso_provider_set_encryption_mode(LassoProvider *provider,
 		LassoEncryptionMode encryption_mode);
 
+LASSO_EXPORT void lasso_provider_set_encryption_sym_key_type(LassoProvider *provider,
+		LassoEncryptionSymKeyType encryption_sym_key_type);
+
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */
diff --git a/lasso/id-ff/providerprivate.h b/lasso/id-ff/providerprivate.h
index c3b39916..5c1806c5 100644
--- a/lasso/id-ff/providerprivate.h
+++ b/lasso/id-ff/providerprivate.h
@@ -61,6 +61,7 @@ struct _LassoProviderPrivate
 	char *encryption_public_key_str;
 	xmlSecKey *encryption_public_key;
 	LassoEncryptionMode encryption_mode;
+	LassoEncryptionSymKeyType encryption_sym_key_type;
 };
 
 
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index 092fcb98..9c95a981 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -673,7 +673,8 @@ lasso_saml20_login_build_assertion(LassoLogin *login,
 			&& provider->private_data->encryption_public_key != NULL) {
 		encrypted_element = LASSO_SAML2_ENCRYPTED_ELEMENT(lasso_node_encrypt(
 			LASSO_NODE(assertion->Subject->NameID),
-			provider->private_data->encryption_public_key));
+			provider->private_data->encryption_public_key,
+			provider->private_data->encryption_sym_key_type));
 		if (encrypted_element != NULL) {
 			assertion->Subject->EncryptedID = encrypted_element;
 			assertion->Subject->NameID = NULL;
@@ -706,6 +707,8 @@ lasso_saml20_login_build_assertion(LassoLogin *login,
 		assertion->encryption_activated = TRUE;
 		assertion->encryption_public_key_str = g_strdup(
 			provider->private_data->encryption_public_key_str);
+		assertion->encryption_sym_key_type =
+			provider->private_data->encryption_sym_key_type;
 	}
 
 	/* store assertion in session object */
diff --git a/lasso/saml-2.0/logout.c b/lasso/saml-2.0/logout.c
index 25f649df..81dc55c9 100644
--- a/lasso/saml-2.0/logout.c
+++ b/lasso/saml-2.0/logout.c
@@ -164,7 +164,8 @@ lasso_saml20_logout_init_request(LassoLogout *logout, LassoProvider *remote_prov
 			&& remote_provider->private_data->encryption_public_key != NULL) {
 		encrypted_element = LASSO_SAML2_ENCRYPTED_ELEMENT(lasso_node_encrypt(
 			LASSO_NODE(LASSO_SAMLP2_LOGOUT_REQUEST(request)->NameID),
-			remote_provider->private_data->encryption_public_key));
+			remote_provider->private_data->encryption_public_key,
+			remote_provider->private_data->encryption_sym_key_type));
 		if (encrypted_element != NULL) {
 			LASSO_SAMLP2_LOGOUT_REQUEST(request)->EncryptedID = encrypted_element;
 			LASSO_SAMLP2_LOGOUT_REQUEST(request)->NameID = NULL;
diff --git a/lasso/xml/saml-2.0/saml2_assertion.c b/lasso/xml/saml-2.0/saml2_assertion.c
index 282c42ee..98d431c8 100644
--- a/lasso/xml/saml-2.0/saml2_assertion.c
+++ b/lasso/xml/saml-2.0/saml2_assertion.c
@@ -96,6 +96,8 @@ static struct XmlSnippet schema_snippets[] = {
 		G_STRUCT_OFFSET(LassoSaml2Assertion, encryption_activated) },
 	{ "EncryptionPublicKeyStr", SNIPPET_CONTENT | SNIPPET_LASSO_DUMP,
 		G_STRUCT_OFFSET(LassoSaml2Assertion, encryption_public_key_str) },
+	{ "EncryptionSymKeyType", SNIPPET_ATTRIBUTE | SNIPPET_INTEGER | SNIPPET_LASSO_DUMP,
+		G_STRUCT_OFFSET(LassoSaml2Assertion, encryption_sym_key_type) },
 
 	{NULL, 0, 0}
 };
@@ -146,6 +148,7 @@ instance_init(LassoSaml2Assertion *node)
 	node->certificate_file = NULL;
 	node->encryption_activated = FALSE;
 	node->encryption_public_key_str = NULL;
+	node->encryption_sym_key_type = LASSO_ENCRYPTION_SYM_KEY_TYPE_DEFAULT;
 }
 
 static void
diff --git a/lasso/xml/saml-2.0/saml2_assertion.h b/lasso/xml/saml-2.0/saml2_assertion.h
index 1e2337d1..1c8065c0 100644
--- a/lasso/xml/saml-2.0/saml2_assertion.h
+++ b/lasso/xml/saml-2.0/saml2_assertion.h
@@ -53,6 +53,8 @@ typedef struct _LassoSaml2AssertionClass LassoSaml2AssertionClass;
 #include "saml2_subject.h"
 #include "saml2_name_id.h"
 
+#include <lasso/xml/xml_enc.h>
+
 struct _LassoSaml2Assertion {
 	LassoNode parent;
 
@@ -78,6 +80,7 @@ struct _LassoSaml2Assertion {
 	char *certificate_file;
 	gboolean encryption_activated;
 	char *encryption_public_key_str;
+	LassoEncryptionSymKeyType encryption_sym_key_type;
 };
 
 
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index e3135a8d..e4426d90 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -453,7 +453,7 @@ lasso_assertion_encrypt(LassoSaml2Assertion *assertion)
 
 	/* Finally encrypt the assertion */
 	encrypted_element = LASSO_NODE(lasso_node_encrypt(LASSO_NODE(assertion),
-		encryption_public_key));
+		encryption_public_key, assertion->encryption_sym_key_type));
 
 	g_free(b64_value);
 	g_free(value);	
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index 72795847..30b16e6c 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -411,7 +411,8 @@ lasso_node_export_to_soap(LassoNode *node)
  * It must be freed by the caller.
  **/
 LassoSaml2EncryptedElement*
-lasso_node_encrypt(LassoNode *lasso_node, xmlSecKey *encryption_public_key)
+lasso_node_encrypt(LassoNode *lasso_node, xmlSecKey *encryption_public_key,
+		LassoEncryptionSymKeyType encryption_sym_key_type)
 {
 	xmlDocPtr doc = NULL;
 	xmlNodePtr orig_node = NULL;
@@ -421,6 +422,7 @@ lasso_node_encrypt(LassoNode *lasso_node, xmlSecKey *encryption_public_key)
 	xmlNodePtr encrypted_key_node = NULL;
 	xmlNodePtr key_info_node2 = NULL;
 	xmlSecEncCtxPtr enc_ctx = NULL;
+	xmlSecTransformId xmlsec_encryption_sym_key_type;
 
 	if (encryption_public_key == NULL || !xmlSecKeyIsValid(encryption_public_key)) {
 		message(G_LOG_LEVEL_WARNING, "Invalid encryption key");
@@ -438,9 +440,23 @@ lasso_node_encrypt(LassoNode *lasso_node, xmlSecKey *encryption_public_key)
 	orig_node = lasso_node_get_xmlNode(lasso_node, FALSE);
 	xmlDocSetRootElement(doc, orig_node);
 
-	/* Create encryption template for a 128-bit AES key */
-	encrypted_element->EncryptedData = xmlSecTmplEncDataCreate(doc, xmlSecTransformAes128CbcId,
-		NULL, xmlSecTypeEncElement, NULL, NULL);
+	/* Get the symetric key type */
+	switch (encryption_sym_key_type) {
+		case LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_256:
+			xmlsec_encryption_sym_key_type = xmlSecTransformAes256CbcId;
+			break;
+		case LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_128:
+		default:
+			xmlsec_encryption_sym_key_type = xmlSecTransformAes128CbcId;
+			break;
+		case LASSO_ENCRYPTION_SYM_KEY_TYPE_3DES:
+			xmlsec_encryption_sym_key_type = xmlSecTransformDes3CbcId;
+			break;
+	}
+
+	/* Create encryption template for a specific symetric key type */
+	encrypted_element->EncryptedData = xmlSecTmplEncDataCreate(doc,
+		xmlsec_encryption_sym_key_type,	NULL, xmlSecTypeEncElement, NULL, NULL);
 	if (encrypted_element->EncryptedData == NULL) {
 		message(G_LOG_LEVEL_WARNING, "Failed to create encryption template");
 		return NULL;
@@ -516,8 +532,23 @@ lasso_node_encrypt(LassoNode *lasso_node, xmlSecKey *encryption_public_key)
 		return NULL;
 	}
 
-	/* generate a 128-bit AES key */
-	enc_ctx->encKey = xmlSecKeyGenerate(xmlSecKeyDataAesId, 128, xmlSecKeyDataTypeSession);
+	/* generate a symetric key */
+	switch (encryption_sym_key_type) {
+		case LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_256:
+			enc_ctx->encKey = xmlSecKeyGenerate(xmlSecKeyDataAesId, 256,
+				xmlSecKeyDataTypeSession);
+			break;
+		case LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_128:
+		default:
+			enc_ctx->encKey = xmlSecKeyGenerate(xmlSecKeyDataAesId, 128,
+				xmlSecKeyDataTypeSession);
+			break;
+		case LASSO_ENCRYPTION_SYM_KEY_TYPE_3DES:
+			enc_ctx->encKey = xmlSecKeyGenerate(xmlSecKeyDataDesId, 192,
+				xmlSecKeyDataTypeSession);
+			break;
+	}
+
 	if (enc_ctx->encKey == NULL) {
 		message(G_LOG_LEVEL_WARNING, "Failed to generate session des key");
 		return NULL;
diff --git a/lasso/xml/xml_enc.h b/lasso/xml/xml_enc.h
index b7d87c8b..65437961 100644
--- a/lasso/xml/xml_enc.h
+++ b/lasso/xml/xml_enc.h
@@ -32,8 +32,25 @@ extern "C" {
 #include <lasso/xml/xml.h>
 #include <lasso/xml/saml-2.0/saml2_encrypted_element.h>
 
+/**
+ * LassoEncryptionSymKeyType:
+ * LASSO_ENCRYPTION_SYM_KEY_TYPE_DEFAULT : Default type (Aes 256)
+ * LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_256 : Aes 256 bits key
+ * LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_128 : Aes 128 bits key
+ * LASSO_ENCRYPTION_SYM_KEY_TYPE_3DES : Triple DES 192 bits key
+ *
+ * Encryption symetric key type.
+ **/
+typedef enum {
+	LASSO_ENCRYPTION_SYM_KEY_TYPE_DEFAULT,
+	LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_256,
+	LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_128,
+	LASSO_ENCRYPTION_SYM_KEY_TYPE_3DES
+} LassoEncryptionSymKeyType;
+
 LassoSaml2EncryptedElement* lasso_node_encrypt(LassoNode *lasso_node,
-				xmlSecKey *encryption_public_key);
+				xmlSecKey *encryption_public_key,
+				LassoEncryptionSymKeyType encryption_sym_key_type);
 LassoNode* lasso_node_decrypt(LassoSaml2EncryptedElement* encrypted_element,
 				xmlSecKey *encryption_private_key);
 
diff --git a/swig/Lasso.i b/swig/Lasso.i
index 43d501e6..9ed38556 100644
--- a/swig/Lasso.i
+++ b/swig/Lasso.i
@@ -1022,6 +1022,22 @@ typedef enum {
 	LASSO_ENCRYPTION_MODE_ASSERTION
 } LassoEncryptionMode;
 
+
+/* Encryption symetric key type */
+#ifndef SWIGPHP4
+%rename(ENCRYPTION_SYM_KEY_TYPE_DEFAULT) LASSO_ENCRYPTION_SYM_KEY_TYPE_DEFAULT;
+%rename(ENCRYPTION_SYM_KEY_TYPE_AES_256) LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_256;
+%rename(ENCRYPTION_SYM_KEY_TYPE_AES_128) LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_128;
+%rename(ENCRYPTION_SYM_KEY_TYPE_3DES) LASSO_ENCRYPTION_SYM_KEY_TYPE_3DES;
+#endif
+typedef enum {
+	LASSO_ENCRYPTION_SYM_KEY_TYPE_DEFAULT,
+	LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_256,
+	LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_128,
+	LASSO_ENCRYPTION_SYM_KEY_TYPE_3DES
+} LassoEncryptionSymKeyType;
+
+
 /***********************************************************************
  * Errors
  ***********************************************************************/
@@ -5013,6 +5029,9 @@ typedef struct {
 
 	%newobject setEncryptionMode;
 	void setEncryptionMode(LassoEncryptionMode encryption_mode);
+
+	%newobject setEncryptionSymKeyType;
+	void setEncryptionSymKeyType(LassoEncryptionSymKeyType encryption_sym_key_type);
 }
 
 %{
@@ -5038,6 +5057,7 @@ typedef struct {
 #define LassoProvider_hasProtocolProfile lasso_provider_has_protocol_profile
 #define LassoProvider_getOrganization(self) get_xml_string(lasso_provider_get_organization(self))
 #define LassoProvider_setEncryptionMode lasso_provider_set_encryption_mode
+#define LassoProvider_setEncryptionSymKeyType lasso_provider_set_encryption_sym_key_type
 
 %}
 
@@ -5149,9 +5169,9 @@ typedef struct {
 	int setEncryptionPrivateKey(char *filename);
 	END_THROW_ERROR()
 
-        THROW_ERROR()
-        int loadAffiliation(char *filename);
-        END_THROW_ERROR()
+	THROW_ERROR()
+	int loadAffiliation(char *filename);
+	END_THROW_ERROR()
 
 #ifdef LASSO_WSF_ENABLED
 	THROW_ERROR()